Full Disclosure mailing list archives
"Index Of" redirection malware attack?
From: Malformation Guy <malformation () hotmail com>
Date: Tue, 16 Dec 2008 16:41:23 +1030
Hello fellow FD, I recently came across an interesting website redirecting and delivering malware and I'd like to ask a few questions An "Index of" that checks your referrer to see if you've found the site through a Google search. The index.php script is made to look just like a real 'Index of', except...it is a PHP script. If you are, it redirects you to http://us-euro.biz/in.cgi?4¶meter=htac and that site serves you pop-ups and other spyware. Use refspoof and TamperData and check http://vtes.vega.id.au/%3Fp=67/wp-login.php/wp-includes/?p=67/wp-login.php/wp-includes They're looking for any Google referrer like this: http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=something&btnG=Search&meta= Not only that, but http://site.com/? would use index.php and http://site.com would give index.html Am I correct? They're really crafty I reckon, and it's the first time I've seen where they've used a fake index of AND checked your referrer. Can someone confirm my thoughts and theories here? -Malformation _________________________________________________________________ Time for change? Find your ideal job with SEEK. http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Eseek%2Ecom%2Eau%2F%3Ftracking%3Dsk%3Atl%3Ask%3Anine%3A0%3Ahottag%3Achange&_t=757263783&_r=SEEK_tagline&_m=EXT
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- "Index Of" redirection malware attack? Malformation Guy (Dec 15)
- Re: "Index Of" redirection malware attack? Malformation Guy (Dec 15)